Thieves break Experian’s credit freeze, 'thaw' accounts: report

Identity thieves exploit website feature to unfreeze accounts so they can open new lines of credit

Experian faces issues with how accounts are ‘thawed,’ according to a report from KrebsOnSecurity.

The cybersecurity blog reported that a reader had his freeze "thawed" without authorization on Experian’s website, demonstrating "how truly broken authentication and security remains in the credit bureau space."

The consumer credit reporting company, which maintains credit information on approximately 220 million U.S. consumers, allows consumers to lock or freeze their accounts to restrict access to their credit report. This makes the account more secure, protecting it from thieves who would use the information to open new accounts.

The KrebsOnSecurity report cited a software engineer who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name.

Ticker Security Last Change Change %
EXPGY EXPERIAN PLC 48.17 +0.66 +1.39%

MOST BIG DEBT COLLECTORS BACKED OFF DURING THE PANDEMIC. ONE PRESSED AHEAD.

"But the crooks were persistent," KrebsOnSecurity writes. Thieves unfroze the engineer’s account at Experian and applied for new lines of credit in his name. The engineer later discovered that someone used the "request your PIN" feature on Experian’s site to obtain his PIN and unfreeze his file.

Due to the hole in the authentication process, "one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer," according to the report.

"[A] basic consumer...[free] account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes," KrebsOnSecurity reported.

Experian’s CreditLock, which is a paid service, does offer multifactor authentication and consumers will get alerts when someone tries to access their account.

The report also said that the multiple-guess questions asked after a consumer inputs their address, Social Security Number and date of birth seemed unrelated to information only the credit bureau might know, posing a security problem.

"Our authentication processes go beyond requiring users to provide personally identifiable information (PII) and answering knowledge-based authentication (KBA) questions," an Experian spokesperson told FOX Business. "While we do not disclose those additional processes for obvious security reasons, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. Experian is strongly committed to protecting consumers and their identities," the spokesperson said. 

AMERICANS CUT CREDIT CARD DEBT BY NEARLY $83B DURING PANDEMIC

KrebsOnSecurity added that "Experian is hardly alone," and that other credit reporting agencies have similar security problems, which the cybersecurity news site has reported about in the past.

Experts say compromised financial records are all too common.

"In the past 12 months there have been over 1,200 data breaches exposing Social Security numbers and over 1.8 billion financial records compromised. Limiting the fall-out from these events is an important part of disrupting the economic incentive behind stealing data," Inga Goddijn, executive vice president of Risk Based Security, told FOX Business.

The Experian spokesperson said that it is "continually innovating to guard against a constant and evolving threat posed by fraudsters [and that] many organizations across industries leverage Experian’s identity verification and authentication solutions to accurately assess if an identity is legitimate."

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Transunion said that it investigated a report last year made by Brian Krebs of KrebsOnSecurity.

"Last year, we investigated the assertion that Brian Krebs’s credit report was obtained by an unauthorized individual, and we determined he was the victim of a targeted fraud attack. During our review of this matter, we also identified a subsequent attempt against Mr. Krebs that was successfully blocked by enhanced controls. TransUnion constantly enhances and refines our security controls to combat the ever-present threats of fraud and malicious activity while still ensuring that consumers have access to their information," a TransUnion spokesperson said.